- The Guide to Finding and Reporting Web Vulnerabilities
- About the Author
- About the Tech Reviewer
- Foreword
- Introduction
- Who This Book Is For
- What Is In This Book
- Happy Hacking!
- 1 Picking a Bug Bounty Program
- 2 Sustaining Your Success
- 3 How the Internet Works
- 4 Environmental Setup and Traffic Interception
- 5 Web Hacking Reconnaissance
- 6 Cross-Site Scripting
- 7 Open Redirects
- 8 Clickjacking
- 9 Cross-Site Request Forgery
- 10 Insecure Direct Object References
- 11 SQL Injection
- 12 Race Conditions
- 13 Server-Side Request Forgery
- 14 Insecure Deserialization
- 15 XML External Entity
- 16 Template Injection
- 17 Application Logic Errors and Broken Access Control
- 18 Remote Code Execution
- 19 Same-Origin Policy Vulnerabilities
- 20 Single-Sign-On Security Issues
- 21 Information Disclosure
- 22 Conducting Code Reviews
- 23 Hacking Android Apps
- 24 API Hacking
- 25 Automatic Vulnerability Discovery Using Fuzzers
Escalating the Attack
Websites often serve pages without clickjacking protection. As long as the page doesn’t contain exploitable actions, the lack of clickjacking protection isn’t considered a vulnerability. On the other hand, if the frameable page contains sensitive actions, the impact of clickjacking would be correspondingly severe.
网站通常在没有点击劫持保护的情况下提供页面。只要该页面不包含可利用的操作,缺乏点击劫持保护就不被视为漏洞。然而,如果可被框架化的页面包含敏感操作,则点击劫持的影响将相应严重。
Focus on the application’s most critical functionalities to achieve maximum business impact. For example, let’s say a site has two frameable pages. The first page contains a button that performs transfers of the user’s bank balance, while the second contains a button that changes the user’s theme color on the website. While both of these pages contain clickjacking vulnerabilities, the impact of a clickjacking bug is significantly higher on the first page than on the second.
侧重于应用程序的最关键功能,以实现最大的业务影响。例如,假设一个网站有两个可框架页面。第一页包含一个按钮,可以转移用户的银行余额,而第二页包含一个按钮,可以改变用户在网站上的主题颜色。虽然这两个页面都包含点击劫持漏洞,但点击劫持漏洞对第一页的影响明显比对第二页的影响更大。
You can also combine multiple clickjacking vulnerabilities or chain clickjacking with other bugs to pave the way to more severe security issues. For instance, applications often send or disclose information according to user preferences. If you can change these settings via clickjacking, you can often induce sensitive information disclosures. Let’s say that bank.example.com contains multiple clickjacking vulnerabilities. One of them allows attackers to change an account’s billing email, and another one allows attackers to send an account summary to its billing email. The malicious page’s HTML looks like this:
你还可以将多个点击劫持漏洞组合起来,或将点击劫持与其他漏洞链接在一起,以为更严重的安全问题铺平道路。例如,应用程序通常根据用户偏好发送或披露信息。如果您可以通过点击劫持更改这些设置,通常可以导致敏感信息泄露。假设 bank.example.com 包含多个点击劫持漏洞。其中一个允许攻击者更改账户的账单电子邮件,另一个允许攻击者向其账单电子邮件发送账户摘要。恶意页面的 HTML 如下所示:
<html>
<h3>Welcome to my site!</h3>
<iframe
src="https://bank.example.com/change_billing_email?email=attacker@attacker.com"
width="500" height="500">
</iframe>
<iframe src="https://bank.example.com/send_summary" width="500" height="500">
</iframe>
</html>You could first change the victim’s billing email to your own email, then make the victim send an account summary to your email address to leak the information contained in the account summary report. Depending on what the account summary discloses, you might be able to collect data including the street address, phone numbers, and credit card information associated with the account! Note that for this attack to succeed, the victim user would have to click the attacker’s site twice.
你可以先将受害者的账单电子邮件更改为你的电子邮件,然后让受害者将账户摘要发送到你的电子邮件地址,以泄露账户摘要报告中包含的信息。根据账户摘要披露的内容,你可能可以收集与该账户相关的街道地址、电话号码和信用卡信息等数据!请注意,为使此攻击成功,受害者用户必须点击攻击者的网站两次。
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论